Knowledge Base
Search our Knowledge Base sites to find answers to your questions.
Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles[ScreenOS] What is NAT-T draft 2 and how does the Firewall detect it?
Symptoms:
Cause:
Solution:
What is NAT-T draft 2?
Due to IKE/IPSec-aware devices attempting to process IKE and IPSec packets, the NAT-T draft 2 was implemented. NAT-T draft 2 changes the UDP IKE SRC and DST port numbers from 500 to 4500. This UDP header, using port 4500, is found between the outer IP and the ESP or AH header, thus changing the IPSec protocol field from 50 (ESP) or 51 (AH) to 17 (for UDP).
The IKE packet would appear as:
The [ UDP Header] , after NAT-T is detected, is broken out as:
The non-ESP marker is 4 bytes of zero (0000), is added to the UDP segment to distinguish an encapsulated ISAKMP packet from an encapsulated ESP packet which does not have a marker.
How does the Juniper Firewall detect the difference between the draft versions of NAT-T?
The Firewall sends two MD-5 hashes in the Vendor ID payload during the first two exchanges of Phase 1 negotiations. One hash for "draft 0" the other for "draft 2"
Both VPN peers must send and receive at least one of these in order for NAT-T setup to continue. If hashes for both drafts are sent and received, the Firewall will use NAT-T draft 2 implementation.
Screen OS 5.1 and later supports NAT-T based on draft-ietf-ipsec-nat-t-ike-02.txt and draft-ietf-ipsec-udp-encaps-02.txt, as well as version 0 of these drafts.
Due to IKE/IPSec-aware devices attempting to process IKE and IPSec packets, the NAT-T draft 2 was implemented. NAT-T draft 2 changes the UDP IKE SRC and DST port numbers from 500 to 4500. This UDP header, using port 4500, is found between the outer IP and the ESP or AH header, thus changing the IPSec protocol field from 50 (ESP) or 51 (AH) to 17 (for UDP).
The IKE packet would appear as:
[IP Header] [UDP Header] [ISAKMP Header] [Payload] The [ UDP Header] , after NAT-T is detected, is broken out as:
[Src port 4500] [Dst port 4500] [Length] [Checksum] [Non-esp marker (0000) ] [Payload] The non-ESP marker is 4 bytes of zero (0000), is added to the UDP segment to distinguish an encapsulated ISAKMP packet from an encapsulated ESP packet which does not have a marker.
How does the Juniper Firewall detect the difference between the draft versions of NAT-T?
The Firewall sends two MD-5 hashes in the Vendor ID payload during the first two exchanges of Phase 1 negotiations. One hash for "draft 0" the other for "draft 2"
| MD-5 hash of "draft-ietf-ipsec-nat-t-ike-00" | 4485152d 18b6bbcd 0be8a846 9579ddcc |
| MD-5 hash of "draft-ietf-ipsec-nat-t-ike-02" | 90cb8091 3ebb696e 086381b5 ec427b1f |
Both VPN peers must send and receive at least one of these in order for NAT-T setup to continue. If hashes for both drafts are sent and received, the Firewall will use NAT-T draft 2 implementation.
Screen OS 5.1 and later supports NAT-T based on draft-ietf-ipsec-nat-t-ike-02.txt and draft-ietf-ipsec-udp-encaps-02.txt, as well as version 0 of these drafts.
For more information on NAT Traversal, please refer to the Concepts and Examples ScreenOS Reference Guide.
Volume 5: Virtual Private Networks
Chapter 7 -- Advanced Virtual Private Network Features
ScreenOS 5.4
ScreenOS 6.2
ScreenOS 6.3
or KB4741 - NAT Traversal Overview
Chapter 7 -- Advanced Virtual Private Network Features
ScreenOS 5.4
ScreenOS 6.2
ScreenOS 6.3
or KB4741 - NAT Traversal Overview
Related Links
Getting Up and Running with Junos
Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search